Total
1799 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3789 | 1 Cloudfoundry | 1 Routing Release | 2020-10-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the external domain of the route service, and map that route to an app. When the gorouter receives traffic destined for the external route service, this traffic will instead be directed to the internal app using the shadow route. | |||||
| CVE-2019-3786 | 1 Cloudfoundry | 1 Bosh Backup And Restore | 2020-10-16 | 4.0 MEDIUM | 7.1 HIGH |
| Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable. | |||||
| CVE-2019-6525 | 1 Aveva | 1 Wonderware System Platform | 2020-10-16 | 4.0 MEDIUM | 8.8 HIGH |
| AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account. | |||||
| CVE-2019-15789 | 1 Canonical | 1 Microk8s | 2020-10-16 | 7.2 HIGH | 7.8 HIGH |
| Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3. | |||||
| CVE-2019-3805 | 1 Redhat | 2 Jboss Enterprise Application Platform, Wildfly | 2020-10-16 | 4.7 MEDIUM | 4.7 MEDIUM |
| A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. | |||||
| CVE-2019-17631 | 2 Eclipse, Redhat | 7 Openj9, Enterprise Linux, Enterprise Linux Desktop and 4 more | 2020-10-16 | 6.4 MEDIUM | 9.1 CRITICAL |
| From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks. | |||||
| CVE-2019-1939 | 2 Cisco, Microsoft | 2 Webex Teams, Windows | 2020-10-16 | 9.3 HIGH | 8.8 HIGH |
| A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. This vulnerability is due to improper restrictions on software logging features used by the application on Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to visit a website designed to submit malicious input to the affected application. A successful exploit could allow the attacker to cause the application to modify files and execute arbitrary commands on the system with the privileges of the targeted user. | |||||
| CVE-2019-14838 | 1 Redhat | 5 Data Grid, Enterprise Linux, Jboss Enterprise Application Platform and 2 more | 2020-10-13 | 4.0 MEDIUM | 4.9 MEDIUM |
| A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | |||||
| CVE-2020-12757 | 1 Hashicorp | 1 Vault | 2020-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2. | |||||
| CVE-2019-7479 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2020-10-09 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. This vulnerability affected SonicOS Gen 5 version 5.9.1.12-4o and earlier, Gen 6 version 6.2.7.4-32n, 6.5.1.4-4n, 6.5.2.3-4n, 6.5.3.3-3n, 6.2.7.10-3n, 6.4.1.0-3n, 6.5.3.3-3n, 6.5.1.9-4n and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V). | |||||
| CVE-2019-1754 | 1 Cisco | 1 Ios Xe | 2020-10-08 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI. A successful exploit could allow the lower-privileged attacker to execute arbitrary commands with higher privileges on the affected device. | |||||
| CVE-2020-8247 | 1 Citrix | 5 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 2 more | 2020-10-07 | 6.5 MEDIUM | 8.8 HIGH |
| Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-WAN WANOP 11.1 before 11.1.2a, Citrix SD-WAN WANOP 11.0 before 11.0.3f, Citrix SD-WAN WANOP 10.2 before 10.2.7b are vulnerable to escalation of privileges on the management interface. | |||||
| CVE-2015-4719 | 1 Pexip | 1 Pexip Infinity | 2020-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request. | |||||
| CVE-2019-11896 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2020-10-06 | 6.8 MEDIUM | 7.1 HIGH |
| A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction. | |||||
| CVE-2019-11893 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2020-10-06 | 4.9 MEDIUM | 8.0 HIGH |
| A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction. | |||||
| CVE-2019-11891 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2020-10-06 | 5.4 MEDIUM | 8.0 HIGH |
| A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack. | |||||
| CVE-2019-7394 | 1 Ca | 2 Risk Authentication, Strong Authentication | 2020-10-06 | 6.5 MEDIUM | 8.8 HIGH |
| A privilege escalation vulnerability in the administrative user interface of CA Technologies CA Strong Authentication 9.0.x, 8.2.x, 8.1.x, 8.0.x, 7.1.x and CA Risk Authentication 9.0.x, 8.2.x, 8.1.x, 8.0.x, 3.1.x allows an authenticated attacker to gain additional privileges in some cases where an account has customized and limited privileges. | |||||
| CVE-2019-11270 | 1 Pivotal Software | 3 Application Service, Cloud Foundry Uaa, Operations Manager | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Cloud Foundry UAA versions prior to v73.4.0 contain a vulnerability where a malicious client possessing the 'clients.write' authority or scope can bypass the restrictions imposed on clients created via 'clients.write' and create clients with arbitrary scopes that the creator does not possess. | |||||
| CVE-2019-10144 | 1 Redhat | 1 Rkt | 2020-09-30 | 6.9 MEDIUM | 7.7 HIGH |
| rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are given all capabilities during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources. | |||||
| CVE-2019-1010178 | 1 Modx | 1 Fred | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246. | |||||